United States Patent in) 

Ankney et al. 



urn mi! 1 111 

US005 113499 A 

[U] Patent Number: 
[45J Date of Patent: 



5,113,499 
May 12, 1992 



[54] TELECOMMUNICATION ACCESS 

MANAGEMENT SYSTEM FOR A PACKET 
SWITCHING NETWORK 

[75] Inventors: Richard C. Ankney, Chantilly; 

Ronald P. Bonica. Falls Church, both 
of Va.; Douglas E. Kay, Chevy 
Chase. Md.: Patricia A. Pasha) an, 
Herndon; Roy L. Spitzer, Vienna, 
both of Va. 

[73] Assignee: Sprint International Communications 
Corp., Reston. Va. 

[21] Appl. No.: 344,905 

[22] Filed: Apr. 28, 1989 

[51] Int. O.' G06F 13/14 

[52] U.S. Q 395/325; 364/DIG. t; 

364/286.5; 364/282.1; 364/284.1; 364/242.94; 

395/725 

[58] Field of Search ... 364/200 MS File. 900 MS File 

(56] References Cited 

U.S. PATENT DOCUMENTS 

4.604.686 8/1^86 Reiter ei al 364/200 

4.71K.00? 1/1 9R8 Fcicenhaum et al 364/200 

4.7W.15? l/tQpg Hanneial 364/200 

Primary Examiner— Thomas M. Heckler 
A i tor my. Agvni, or Firm— Leitncr. Greene & 
Christen sen 



[57] ABSTRACT 

A security access management system for a packet 
switched data communications network has access 
management apparatus operativcly associated with the 
packet switches at each entry point of the network. The 
access management apparatus includes an administra- 
tive host processor for examining user terminal authori- 
zation information in packets received at the associated 
packet switch for transmission through the network to 
destination addresses for the packets. A database associ- 
ated with the administrative host stores information 
including levels of authorization of the user terminals 
for the respective entry point of the network for access 
to specified destinations, as pre-assigned by the network 
customer. Also included in the access management 
apparatus is a validation host processor which responds 
to comparisons between the user terminal authorization 
information contained in the packet and the pre- 
assigned level of authorization for the same user termi- 
nal, and, if they correspond, to grant access by that user 
terminal through the associated packet switch to the 
destination address with which a communication ses- 
sion is requested; or, if they differ, to deny such access. 
The access management apparatus is located remote 
from the user terminals using the particular entry point 
for the network. 

12 Claims, 14 Drawing Sheets 
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network with a multiplicity of nodes or hubs, each of 
TELECOMMUNICATION ACCESS which utilizes a cluster of backbone switches; and 

MANAGEMENT SYSTEM FOR A PACKET smaller geographic area networks with backbone 

SWITCHING NETWORK trunks, access lines and clustered lower level switches 

_ 5 connected to each hub. Packet-switched data is trans- 

BACKGROUND OF THE INVENTION mined through the network via VCs, using CCITT 

The present invention relates generally to data com- (International Telegraph and Telephone Consultative 
muni cation networks, and more particularly to a system Committee of the International Telecommunications 
for managing access by users and host computers at Union) X.75 protocol, which is a compatible enhance- 
least certain destinations which may be other users or 10 nient of X.25 protocol, 

hosts within a packet switching network. For a communication session to proceed between the 

In packet switching networks, packets in the form of parties to a connection, it is essential that data be pres- 
units of data are transmitted from a source — such as a ented in a form that can be recognized and manipulated, 
user terminal, computer, application program within a The sequence of required tasks at each end, such as the 
computer, or other data handling or data communica- 15 format of the data delivered to a party, the rate of deli v- 
tion device— to a destination, which may be simply ery of the data, and resequencing of packets received 
another data handling or data communication device of out of order, is generally handled in an organized man- 
the same character. The devices themselves typically ner using layered communication architectures. Such 
are referred to as users, in the context of the network. architectures address the two portions of the communi- 
Blocks or frames of data are transmitted over a link cations problemf onc ^ng ^ ^ t dclivery of data by 
along a path between nodes of the network. Each block an end user to the communication network should be 
consists of a packet together with control information in such that (hc data ^ ^ at the destination is correct 
the form of a header and a trailer which are added to the ^ timcly> ^ tbc othcr ^ that lhe deIivcrcd data 
packet as .t exits the respective node. The header typi- must * rcC ognizable and in proper form for use. These 
cally contains, ^ addition to the destination address 25 £ ^tocols, or standard 

Held, a number of subfields such as operation code, cations for communication intelligently, the fiS 
source address, sequence number, and length code. The Kv nMu)ftfL „ T „*^u onA .k- x. J u i \ 

trailer is typically a technique for generating redun- ^^S^S^ by ^ lcVCl 

dancy checks, such as a cyclic redundancy code for P rotoc ° ,s * ^ ch of * heS€ Protocols has a series of layer*, 
detecting errors. At the other end of the link, the receiv- 30 ^P 1 ? A of * ^clude the Systems 

ing node strips off the control information, performs the * ctw ° rk ^h'tecture (SN^Odeveloped by IBM, and 
required synchronization and error detection, and rein- the s ^ ucn , lIy dcveIo P e f ^ Svste v ms Interconnec- 
serts the control information onto the departing packet. tl0n (OSI) rcference mod * 1 The has seven layers, 
Packet switching arose, in part, to fulfill the need for thrcc of wh,ch "* network services oriented including 
low cost data communications in networks developed 35 Physical, data Irak, and network layers, and the other 
to allow access to host computers. Special purpose four P rov,d,m 3 services to the end user by means of 
computers designated as communication processors transport, session, presentation, and application layers, 
have been developed to offload the communication from lowest to highest layer. 

handling tasks which were formerly required of the *- 25 is an interface organized as a three-layered ar- 
host. The communication processor is adapted to inter- 40 chitecture for connecting data terminals, computers, 
face with the host and to route packets along the net- **** other uscr systems or devices, generally refereed to 
work; consequently, such a processor is often simply as data terminal equipment (DTE), to a packet-switched 
called a packet switch. Data concentrators have also network through data circuit terminating equipment 
been developed to interface with hosts and to route (DCE) utilized to control the DTFs access to the net- 
packets along the network. In essence, data concentra- 45 work. The three layers of the X.25 interface architec- 
tors serve to switch a number of lightly used links onto turc arc the physical level, the frame level and the 
a smaller number of more heavily used links. They are packet level. Although data communication between 
often used in conjunction with, and ahead of, the packet DCEs of the network is routinely handled by the net- 
switch, work operator typically using techniques other than 

In virtual circuit (VC) or connection-oriented trans- 30 X.25, communication between the individual user sys- 
mission, packet-switched data transmission is accom- tern and the respective DCE with which it interfaces to 
plished via predetermined end-to-end paths through the the network is governed by the X.25 or similar proto- 
network, in which user packets associated with a great col. In essence, X.25 establishes procedures for conges- 
number of users share link and switch facilities as the tion control among users, as well as call setup (or con- 
packets travel over the network. The packets may re- 55 nect) and call clearing (or disconnect) for individual 
quire storage at nodes between transmission links of the users, handling of errors, and various other packet 
network until they may be forwarded along the respec- transmission services within the DTE-DCE interface, 
tive outgoing link for the overall path. In connection- X.25 is employed for virtual circuit (VC) connec- 
less transmission, another mode of packet-switched data tions, including the call setup, data transfer, and call 
transmission, no initial connection is required for a data 60 clearing phases. Call setup between DTEs connected to 
path through the network. In this mode, individual the network is established by one DTE issuing an X.25 
datagrams carrying a destination address are routed call-request packet to the related DCE, the packet con- 
through the network from source to destination via taining the channel number for the logical connections, 
intermediate nodes, and do not necessarily arrive in the the calling and called DTE addresses, parameters speci- 
order in which they were transmitted. 65 fying the call characteristics, and the data. The destina- 

The widely-used Telenet public packet switching tion DCE issues an incoming call packet, which is of the 
network routes data using a two-level hierarchy. The same general format as the call-request packet, to the 
hierarchy comprises a long distance-spanning backbone destination DTE, the latter replying with a call- 
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accepted packet. In response, the calling DCE issues a the host and the database may have been successful, 
call-connected packet to its related DTE. At that point These techniques not only violate network security, but 
the call is established and the data transfer phase may also tie up lines otherwise available to authorized users, 
begin by delivery of data packets. When the call is If toll lines are involved, the intruder may cost the 
compared, i.e., the session is to end, a call-clearing pro- 5 network or its customers many hundreds or thousands 
cedure is initiated. of dollars of network time, whether or not the intruder 

Prospective routing paths in the network are initially is ultimately able to gain access to the host and its data- 
determined by a network control center, which then base. 

transmits these predetermined paths to the backbone In the past, various techniques and systems have been 
switches as routing tables consisting of primary and 10 employed to provide secure data communications. U.S. 
secondary choices of available links from each hub. The Pat. No. 4,317,957 to Sendrow describes a security 
secondary choices are viable only in the event of pri- system for an electronic funds transfer network in 
mary link failures, and the specific secondary link selec- which proposed transactions entered at remote termi- 
tion is a local decision at the respective hub based prin- rials are multiply-enciphered in a predetermined manner 
cipally on current or recent traffic congestion patterns. 15 with user identification and other secret information. 
The unavailability of an outgoing link from a bub at the Data is re-enciphered into another key and, together 
time of the call setup effects a clearing back of the VC with this secret information, is appended to a transac- 
for the sought call to the preceding hub. An alternative tion request message and transmitted to a central corn- 
link is then selected by that hub, or, if none is available puter for validation. Such a technique does not readily 
there, the VC circuit is again cleared back to the next 20 alleviate the problem of dealing with many different 
preceding hub, and so forth, until an available path is levels of users within a data network, or of precluding 
uncovered from the routing tables. Messages concern- an intruder from obtaining initial access and running a 
ing link and/or hub failures are communicated immedi- routine to penetrate further into the network's confiden- 
ately to the network control center, and that informa- tial archives. The Sendrow system is of the type in 
tion is dispatched to the rest of the network by the 25 which any user may obtain access to the network, and 
center. the host has the responsibility for validation of the user's 

In typical present-day concentrators and packet authorization to go further, 
switches, the data processing devices reside in plurality U.S. Pat No, 4,423,287 to Zeidler describes a so- 
of cards or boards containing printed circuits or inte- called "end-to-end" encryption system for protecting 
grated circuits for performing the various functions of 30 certain critical elements of messages used to obtain cash 
the respective device in combination with the system in automated financial transactions, such as transactions 
software. Typically, the cards are inserted into desig- involving ATMs or other cash dispensing systems. In 
nated slots in cages within a console, with backplane the Zeidler system, one-time session keys are imple- 
access to a data bus for communication with one an- mented to assure that all encrypted data and message 
other or to other devices in the network. The VME bus 35 authentiacauon codes are different notwithstanding 
is presently the most popular 16/32-bit backplane bus. identical transactions. The system requires multiple 
References from time to time herein to cards or boards sequential encryptions and decryptions of session keys 
will be understood to mean the various devices embod- in master keys. Critical elements of the data message, 
ied in such cards or boards. such as a PIN, are encrypted using a session key which 

Many public data networks (PDNs) offer little or no 40 itself is decrypted using a master key, and then a mes- 
security for communications between users and hosts or sage authentication code is computed using the same 
other data processing devices within the network, in session key for other data elements of the message. An 
keeping with the "public purpose" of the network and acquirer station with which a plurality of user terminals 
the desire for accessibility by a large number of actual are associated attaches another master key-encrypted 
and prospective users. Where restrictions on access are 45 session key to the already encrypted data from an asso- 
necessary or desirable, it is customary to assign each ciated terminal. The multiply-encrypted data is then 
authorized user an identification (ID) number or a pass- transmitted to a host via a network switch which inserts 
word, or both, which must be used to gain access to the yet another master key for encryption. An issuer re- 
host. More elaborate security measures axe necessary ceives the last encrypted message and decrypts it with a 
where access may be had to highly confidential data. 50 final master key. Such a security system is generally 

Some data communication networks involve a van- unsuitable for a public data communications network, 
ety of different customers each of whom makes avail- simply because it is overly complex and does not allow 
able a host and one or more databases to its users, and for different levels of security or different levels of 
may place a level if security on its database which dif- users. 

fers from the level placed by other customers on their 55 U.S. Pat. No. 4,430,728 to Beitel discloses a system 
respective hosts and databases. In those instances, it is for secure communications using a security key for 
customary to make the host responsible for security and automatic operation of a modem hookup for communi- 
access to itself and its associated database. Thus, a user cation between the calling and called modems. If a 
might have access to certain destinations in the network security key contains the proper code, a switch is acti- 
without restriction, but no access to other destinations. 60 vated by the called modem to connect the caller to the 
It may happen that an intruder, i.e., an unauthorized host. Here again, although the technique employed is 
user, is able to enter the network by dialing up a desired relatively less complex than those described above, the 
host, and then attempts to make calls (i.e., to access) a prior art system does no readily distinguish between 
desired destination through an iterative process using different levels of security or different levels of users 
large numbers of IDs or passwords. Hackers have been 63 within the same network. 

known to run long routines of potential passwords for U.S. Pat. No. 4,349,695 to Morgan describes an au- 
days on end while leaving a terminal unattended, with thentication system in which the receiver interrogates 
the exception that upon return to the terminal, entry to the transmitter in code. Multiple back and forth trans- 
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missions are required to authenticate the remote user. validation by the TAMS. It is important to note that 

Such systems likewise do not take into account the according to the present invention the initial determina- 

various levels of users and security within a single net- tion of a need for validation is made by the switch at a 

work. While the interrogation of certain users may be point of entry to the network, and not at the user's 

appropriate, for others it is a waste of valuable network 5 terminal (or, more specifically, by some form of termi- 

tmie - nal security device) as may be found in various prior art 

It will be observed, therefore, that a need exists for a systems which all too often are readily circumvented by 

relatively simple security and access management sys- an unauthorized user. 

tern that may be implemented in an existing data com- If the TAMS determines that the CR (and hence, the 

munication network in which certain users may be au- 10 user) is valid, it proceeds to issue what will be referred 

thorized for unlimited access to hosts and databases, to herein as a call forward on clear (CFOC) which, in 

while others have more restricted access, and still oth- essence, indicates the TAMS validation of the user in 

ers are to be denied access to specified portions of the question to the switch, and clears the message back for 

network but free access to other portions. It is a princi- access by that user to the addressed host. The call from 

pal object of the present invention to provide such an 15 the user is not accepted as such by the TAMS; it is 

access management system. merely cleared to inform the switch that this particular 

It is another object of the present invention to pro- user request is validated and that communications may 

vide an access management system for a data communi- now ensue between the user and the addressed host. In 

cations network which precludes intruders from gain- turn, the switch proceeds to make the connection re- 

ing initial access to the network itself and thus improves 20 quired for that communications path, the host accepts 

the level of overall security, but without imposing harsh the call (which may depend on additional interrogation 

or cumbersome measures of accessibility or interroga- of the user by that host— or by a separate host security 

tion on authorized users of every level. device— as found in various prior art systems, and 

Still another object of the invention is to provide an which forms no part of the present invention), and that 

access management system which precludes iterative 25 acceptance is communicated to the user's terminal, 

techniques for stumbling on valid passwords or other The assembly of data at the terminals (or at a PAD 

entry-authorizing codes to the data communications remote from but associated with the terminal) into a CR 

network, without establishing unnecessarily strict barri- packet, and the intercommunication between the switch 

ers to entry by the various levels of authorized users of and the TAMS are transparent to the user. After the ID 

the network. 30 and other pertinent data are entered at the terminal, an 

SUMMARY OF THE INVENTION JfJ^ °/ * » "»ted 

(typically on a CRT monitor) at the terminal. As noted 

According to the present invention, a data network above in the background section of this document, in 

access management system is configured at each entry many prior art data communications systems each host 

point to the packet switching network, in proximity to 35 may have its own security system. If the user is able to 

the user's DTE and specifically on a PC. In the packet- enter the network and knows (or thereafter uncovers) 

switched system, DTEs include or are associated with the host address, he may simply "dial up" the host and 

respective Packet Assembler/Disassembler devices the host then assumes the responsibility for validating 

(PADs). In the case of an asynchronous (asyn) user, for that user. However, with the TAMS system according 

example, desiring access to a particular host, the call 40 to the invention, security is established at the point of 

request typically includes the destination address of the entry to the network so that the user cannot even enter 

host, as well as the user's ID and password (and perhaps the network (except in certain special situations to be 

a second password). The user's PAD assimilates this discussed hereinafter) to reach the host without being 

information and assembles it into a standard request referred to and validated by the TAMS. If the CR pack- 

packet. 45 cts is not validated, the message from TAMS back to 

The request packet is transmitted from the user's the switch causes an immediate disconnect of the user's 

DTE to a packet switch, which makes decisions on terminal. 

routing of calls and responses, and priority of data com- Thus, among other advantages the invention pre- 
munications within that portion of the data network eludes an unauthorized user from reaching a host in a 
with which it is associated. In the case of an async user 50 data communications network, and hence precludes the 
request packet, the switch detects from the information situation in which the user may thereafter use an itera- 
contained in the packet the need for user validation. tive technique to uncover an acceptable ID and/or 
That is, the switch assesses the request packet, and, password to penetrate the hosts's database. Indeed, 
finding thai certain information required by the system according to a feature of the TAMs system of the pres- 
of the present invention is either absent or incomplete, 35 ent invention, means are included for logging the num- 
the switch dispatches a call request to the total access ber of invalid attempts at access from a particular termi- 
management system (TAMS) of the present invention, nal or line within a predetermined time, and for initiat- 
The TAMS includes an administrative host (AH) ing a temporary disconnect of the user if that number 
which maintains an associated relational data base, and exceeds a preselected number. This is to take into ac- 
a validation host which runs through various scenarios 60 count a reasonable number of errors in entry by an 
to determine whether the particular call request packet authorized user. After expiration of the temporary dis- 
(CR packet) has been communicated from a pre-author- connect, the switch allows reconnection thereto from 
ized user (i.e., a user which the customer of the network the user in question. However, if this is followed by 
provider has predesignated as authorized to request and another (one or more, as preselected) series of invalid 
obtain access from one or more hosts maintained by that 65 attempts at access by the same user (same terminal or 
network customer), or whether the user's authority line), a permanent disconnect is effected. In that in- 
must be validated on each request. In the case of an stance, reconnection is permitted only after a physical 
async user, each attempt to enter the network requires investigation of the circumstances that surrounded the 
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permanent disconnect, and a clearing of the particular thereof, taken together with the accompanying draw- 
user/terminal/line. ings, in which: 

The system according to the present invention per- FIG. 1 is a simplified block diagram of a public data 
mits existing networks to enjoy upgraded security or to communications network useful for purposes of the 
impose security where none existed before, without 5 description of a presently preferred embodiment of the 
substantial change to existing network terminals, lines, invention; 

hosts, devices or subsystems. If desired by the network FIGS. 2a, b, c, d, and e are portions of an overall flow 
customer, certain users may be pre-authorized to gain chart useful for describing TAMS processing in the 
access to a designated host or hosts without need for system of FIG 1; 

validation by TAMS. In such instances, the switch 10 FIG. 3 illustrates a PDN with associated users and 
recognizes the pre-authorization and determines there- hosts and foreign PDN, as well as associated devices, in 
from that no inquiry to TAMS is necessary. Therefore, greater detail for use in describing the presently pre- 
it will be noted that the present invention may accom- ferred embodiment of the invention; 
modate the needs of many different network customers FIGS. 4-6 are sequence diagrams illustrating the 
regarding user access and security (or the lack thereof) 15 message flows for certain types of validation, including 
within a public data network, in a relatively simple, user ID validation, address pair validation, and interac- 
efficient and cost-effective manner and without requir- tive user ID validation; 

ing individual customers or device manufacturers to FIGS. 7 through 12 inclusive are block diagrams of 
modify their hardware or software. the various key components and operative relationships 

Accordingly, it is yet another object of the present 20 provided for the TAMS system in the embodiment of 
invention to provide an access management system for FIG. 3. 

a public data communications network in which .access DETAILED DESCRIPTION OF THE 

management with respect to users and hosts of different PREFERRED EMBODIMENT 

customers of the network ts performed at an entry point 

to the network which is remote from both the user's 25 Referring to FIG. 1, a PDN of the packet switching 
terminal and the host computer to which the access is type has associated therewith a DTE 2 operating in 
sought. conjunction with a PAD 3 for communication with one 

Still another object of the present invention is to or more hosts or other data processing devices 4, 5. 
provide an access management system of the above- DTE 2 communicates with network 1 via a packet 
described type in which invalid attempts at access are 50 switch 7, which may, for example, be of the type de- 
logged with respect to a particular user, terminal or scribed in U.S. patent application Ser. No. 07/176,654 
line, and a predetermined number of successive invalid to Makris et al. filed Apr. 1, 1988, assigned to the same 
attempts automatically results in a disconnect of the assignee as the present application. For purposes of the 
user, terminal or line to preclude numerous iterations of present description, it is sufficient to note that switch 7 
attempts to break an identification code, password or 35 serves to prioritize communications between the net- 
other security measure. work 1 and the several DTEs of users in addition to 

In the TAMS system, four major functions are pro- DTE 2 with which switch 7 is associated, and to route 
vided to asynchronous users: (i) user ID validation, (ii) the calls and responses between those terminals and the 
address pair validation, (iii) address (mnemonic) transla- network. In practice, a single switch 7 is capable of 
tion, and (iv) password change. User ID validation 40 accommodating a plurality of terminals. Each of the 
compares the entered user ID and password against processing devices 4, 5, is also associated with its own 
data in the TAMS data base, and, if valid, a further packet switch. 

check may be made to verify permitted access by the Each PDN customer may establish its own rules and 
user to the requested destination. The validation infor- regulations regarding user/subscriber authorization for 
mation may be present in the call request or may be 45 access to its data or other services or portions thereof, 
obtained interactively. Address pair validation com- The desire for and provision of access and security 
pares the calling address against a list of valid addresses measures among the various network customers with 
that may place calls to the requested destination, and is respect to their users may vary. Each customer may 
used for callers which do not directly interact with the typically choose to impose its own techniques and mea- 
PAD at call setup and which, therefore, have no user 50 sures in these respects, but to do so may and usually 
ID associated with them. Mnemonic addressing capa- does require that the customer implement hardware and 
bilicy is provided foT single-transaction validation, in software measures at or in conjunction with its host 
which the user may enter a mnemonic (i.e., a "user computers, and in some instances to require the imple- 
friendly" alphanumeric name for a network resource, mentation of special hardware and software measures at 
e.g„ a host) rather than a numeric destination, the call 55 or in conjunction with user terminal equipments These 
then being forwarded to a validation host (VH) which techniques and measures are not impenetrable to skillful 
translates the mnemonic to the appropriate numeric hackers. Moreover, as the imposition of restrictions, 
address, performs the required call validation, and for- and special hardware or software on users becomes 
wards the call to the requested destination. Finally, more harsh, the ability to successfully employ the PDN 
asynchronous users may change their passwords by 60 as the medium of communication for a wide variety of 
entering a special mnemonic representing the password users become less clear. 

change application. To avoid these shortcomings, the network is pro- 

„ A „„ VT „ vided with a telecommunication access management 

BRIEF DESCRIPTION OF THE DRAWINGS 8VStem (jams) 8 which may service any of the user- or 
The above and other objects, aspects, features and 65 host-associated packet switches, such as 7. As will be 
advantages of the present invention will become more described in detail presently, TAMS 8 includes an ad- 
apparent from a consideration of the ensuing detailed ministrative host (AH) together with a master relational 
description of a presently preferred embodiment database pertaining to network customers, including 
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user IDs, passwords, and other relevant information, 
and a validation host (VH) for running software rou- 
tines pertaining to scenarios for validating users, that is, 
the user's authorization to communicate with the ad- 
dressed host of a particular network customer, or any 
other destination. 

By way of example, if DTE 2 is an async user desiring 
to access host 5, the user enters its ID, its password, and 
destination address of the desired host. The address may 
be mnemonic, or may be a CCITT X.121 numeric ad- 
dress. PAD 3 automatically builds a standard call re- 
quest packet which includes, among other things, the 
user's (source) address, and the called (destination) ad- 
dress. The assembled packet is transmitted to switch 7, 
which reviews the information contained in the packet, 
and may make an initial assessment as to whether that 
information dictates a need for user validation. This in 
turn depends on the requirements which have been 
imposed by the network customer for the host with 
which this user desires to communicate. If the switch 
determines that user validation is necessary, or if the 
call request is simply to be transmitted to TAMS with- 
out preliminary processing for authorization by the 
packet switch, the call request is forwarded to the 
TAMS 8. The latter follows a validation procedure by 
which the information is reviewed and a determination 
is made, based in part on data stored in the relational 
database, whether the user will be allowed to access the 
addressed host or other destination sought to be ac- 
cessed in the call request. 

If that determination is favorable, i.e., the requested 
access is granted, TAMS 8 issues a call forward on clear 
(CFOC) message packet which, in essence, informs the 
switch 7 that this user is valid and the requested connec- 
tion is to be made. The TAMS relational database cor- 
relates all authorized users, their attributes, passwords, 
and so forth, to addresses to which they are permitted 
access, among other things. The packet switch 7 re- 
sponds by transmitting packets including the appropri- 
ate call request information and message data via the 
PDN to the addressed host or other request destination, 
which accepts the call. The desired communication 
session may then commence. 

The validation procedure may be arranged to be 
transparent to the user, in that after the desired entry is 
made (which could, for example, consist merely of plac- 
ing an access authorization encoded card into an appro- 
priate slot at the terminal), a response is received after 
processing, which may confirm that the communication 
session will proceed, or whatever else the nature of the 
transaction may call for. If, however, the requested 
access is denied, because the TAMS 8 has determined 
there is no validation, the user's DTE may be imple- 
mented to provide a visual or audible notice of the 
denial. Alternatively, the user may be effectively in- 
formed of the denial by an immediate disconnect. In a 
presently preferred embodiment of the invention, in- 
valid attempts at a connect from a particular user termi- 
nal are logged by the TAMS, and after a preselected 
number of invalid attempts, TAMS issues a "temporary 
disconnect" command to switch 7, denying the user any 
penetration of the network. 

In the face of a temporary disconnect, the user may 
repeat the procedure of establishing a "connect". If 
desired, once a sequence of a preselected number of 
successive temporary disconnects has occurred, TAMS 
may be implemented to issue a "permanent disconnect", 
in which event a reconnection of the specific terminal 
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may be made only by compliance of the user with what- 
ever rigorous measures may be imposed by the network 
customer. 

By way of further example, an async user may be 
3 authorized by the network customer to do a straight 
connect to the addressed host. In this instance the infor- 
mation contained in the call request packet received by 
the switch 7 is recognized by the switch as not requiring 
validation of the user by TAMS 8. The switch may be 
,0 implemented to proceed with establishment of the con- 
nection between the requesting terminal and the ad- 
dressed host without any communication with TAMS 
8. Nevertheless, in such a situation if the packet were 
incomplete in any material respect, indicative of a secu- 
15 rity violation, then notwithstanding the authorization of 
a straight connect to the addressed host, the switch 7 
would route the call request to TAMS 8 for validation. 
In such an instance, TAMS queries the user for his ID 
and password, and such other information as may be 
called for by the applicable program stored in TAMS. If 
on the basis of the user's responses to these queries 
TAMS determines user validation, it will transmit a 
CFOC and the procedure described above in response 

2J thereto would be similarly followed. 

Still another situation which might be encountered in 
the network is that in which an X.25 host desires to call 
over to another host. In that situation, the call request is 
posed to the TAMS via a corresponding packet switch, 

30 to accommodate the X.25 host for communication with 
the desired destination via PDN 1. Here, however, the 
validation is not by user ID and password, but rather by 
pre-authorization of the source address (i.e., the X.25 
host) to access the destination address (i.e., to communi- 

33 cate with the addressed host), as stored in the TAMS 
administrative host data base. Upon validation by 
TAMS, the communication session is established in the 
same manner as described above for the asynchronous 
user. Calls may be placed to points outside the network 

40 to a foreign PDN by addressing a gateway to the other 
PDN, or other link to a non-network destination. 

TAMS validation processing for the network of FIG. 
1 will be described with reference to FIGS. 2a-e. At the 
outset, the validation process is commenced at 10 (FIG. 

45 2a) with a user desiring access to a specified destination, 
by reference to whether a user ID 11 exists in the call 
request. If there is a user ID, a user validation routine 12 
is performed by the TAMS VH. Assume for the mo- 
ment, however, that the user has no ID, which, depend- 

50 ing on the specific user, is normally entered either auto- 
matically (by being built into the call request at the 
user's DTE) at startup for access, or in response to a 
prompt from the system. Absence of a user ID may 
occur, for example, because the particular DTE is unse- 

35 cure in that it is available for use by the general public 
for entering into transactions with on or more hosts via 
the PDN, or because the user has failed to respond to a 
prompt. A check is made to determine whether a secu- 
rity violation has occurred (13), by examination 

60 through TAMS of the user's address (source address) 
and the address sought to be accessed by the user (desti- 
nation address). If a security violation notification is 
application, bu the source address is on the VH data 
base (14), the user is queried (prompted) for his ID and 

65 password (15). If the source address is not on the data 
base, or the user does not provide an appropriate re- 
sponse, an "invalid" exit is performed, as will be ex- 
plained presently. 
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If, instead, no security violation notification is appro- called address being available, results in processing of 
priate based on source address, an examination of the the call request by TAMS in the same manner as if the 
destination address is made as well (15). The destination call request had contained an X.121 address which is 
address may have been specified as a mnemonic ("user found in the data base (36), as will be discussed below, 
friendly'*) or an X.121 numeric address (17). If mne- 3 If a password change is requested by the called address, 
raonic, but no such address is available (i.e., the nme- the related memory for TAMS is examined (or, in the 
nonic is invalid (18)), an invalid exit is performed. On alternative, the user's DTE is queried) as to whether the 
the other hand, if the mnemonic address is available, user is allowed to change its password (38). If such 
TAMS treats the call request in the same manner as change is not permitted for this particular user, an "in- 
would be the case if an X.121 address were specified 10 valid" exit is performed (39). Where the change of pass- 
and on the data base (19). Where the called address is word is allowed, the user is queried for the new pass- 
not found on the data base, TAMS assumes that "secu- word (40), and, if the password is correct, the call re- 
rity" is not an issue for that particular address 1 and quest is processed through a "valid" exit from TAMS 
performs a 'Valid" exit (to be explained below) for the (41). If, however, the new password provided by the 
call request. Assuming, however, that the called ad- 15 user is invalid, an "invalid" exit is performed (39). 
dress, either mnemonic or numeric, is available, a Returning to the situation where the called address in 
charge request check is performed to assess whether the call request is X.121 numeric rather than mnemonic 
this particular destination address is accessible subject (33), the X.121 address is examined (FIG. 2d) to deter- 
to a toil and, if so, whether the source address of the mine whether it is on the TAMS data base (43) by corn- 
user (contained) in the call request is a valid charge 20 p arisen with the appropriate list in related read only 
account (20). A <4 no" answer produces an "invalid" exit, memory. As in the example previously discussed herein, 
but a "yes" is followed by a memory check of whether if the called address is not found on the data base, 
the destination address is marked "secure" (21). It TAMS assumes that "security" is not a consideration 
should be noted that the X.121 address may be on the for access to the particular called address. In that case, 
VH data base, but nevertheless that particular destina- 25 the user charge request is examined for validity (44), 
tion may not be designated as secure, in which event the and if it is, a "valid" exit (45) is performed on the call 
call request would be given a "valid" exit. If the called request. On the other hand, an invalid change request 
address is secure, a final check is made that both source will result in an "invalid'* exit of the call request from 
address and destination address are authorized for this TAMS (46). 

user (22), and, if so, a "valid" exit is performed. If not, 30 If the X.121 address designated for the destination in 
however, the user is prompted for his ID and password the call request is found on the data base (43), a charge 
(15). request check is performed to assess whether the called 

Returning now to the situation in which the user address is subject to a toll charge and, if so, whether the 
validation routine (12) ascertains that the user has an ID source address of the user or hose in the call request is 
which was built into the call request by the user's DTE 35 cleared to bear such a charge (48). This is the same point 
(FIG. 2b), a check is made to determine whether the of the processing for a mnemonic address in the call 
user is freeze-listed or permanently disconnected for request where no password change is requested and the 
prior violations (27) by comparing the ID against a list called address is available (36). A "no" answer to the 
compiled in suitable read-only memory. If the answer is "charge OK?" inquiry will result in a further query as to 
"yes", the call request is denied by performing an "in- 40 whether the TAMS itself is permitted to override the 
valid" exit (28). A negative answer, howeveT, leads to non-acceptable charge response (49) (for example, 
an assessment of whether the user ID is valid (29). If it where the user account is past due but other factors 
is not, an "invalid" exit is performed. If a valid ID is dictate an OK). If TAMS may not override, an "in- 
found, the password (which is also built into the call valid" exit is performed (46), but a "yes" answer is 
request in a conventional manner) is examined for valid- 45 followed by a setting of the correct charge ($0), and 
ity (30). If the password is not valid, the appropriate further processing in the same manner as for an affirma- 
disconnect status is processed (31) and communicated tive answer to the original "charge OK?" inquiry (52). 
to the user's DTE, and an "invalid" exit is performed Referring to FIG. 2e, the processing by TAMS then 
(28). If the password, like the ID, is valid, the TAMS determines whether the destination address is marked 
appraises whether a temporary disconnect should be 50 "secure" (53). If it is secure, the user address is checked 
performed (32); for example, because the called address to assess the user's authority to access that destination 
is unable accept a call at that time. In that event, a (54), and, if the user is not authorized, the call request is 
disconnect is performed through an exit (28), but the given an "invalid" exit (55). Where either the called 
user's ID is appropriately notified and the call request address is not marked "secure" or the user address is 
may be automatically reinitiated to commence process- 55 found to be authorized for access to the "secure" desti- 
ing after bypassing the temporary disconnect as a nega- nation address, TAMS queries whether the called ad- 
tive response. dress is reselected (56). A "no" answer results in setting 

Following the temporary disconnect assessment, up a return to the originally requested address (57), 
with a "no" answer, the destination address contained whereas a "yes" answer is followed by setting up a 
in the call request is examined for characterization as 60 return to the reselected address (58). In either event, the 
mnemonic or X.121 numeric (33). A mnemonic address call request receives a "valid" exit (59). 
is examined for validity (34), and if valid (e.g., no such A "valid" exit in any of the above-described instances 
address is available in the network), an "invalid" exit is is the issuance by TAMS of a call forward command 
performed. with "valid" indication and pertinent information in- 

However, if the mnemonic address is valid (FIG. 2c), 65 eluding a security key if the destination address is 
a check is performed to determine whether a password marked "secure". On the other hand, an "invalid" exit is 
change is required for access to this particular destina- characterized by a call forward from TAMS with an 
tion address (35). No change requested, indicative of the "invalid" indication and an appropriate error message. 
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FIG. 3 illustrates a PDN with associated users and ity is also referred to as load-sharing. Asynchronous 
hosts and foreign PDN, as well as associated devices, in users are allowed to change their passwords by entering 
greater detail for use in describing the presently pre- a special mnemonic representing the password change 
ferred embodiment of the invention. At the source, a application. 

user device (DTE) 65, PAD 67 receiving native proto- 5 In one technique, TAMS accepts the call and 
col from the user DTE and supplying X.25, and source prompts the user for his user ID, old password, new 
packet switch 6*, are located at a point of entry to PDN password, and new password again. If the password is 
network 62. The switch 68 has an associated PC 70 with changed successfully, the call is cleared with a VER 
VH software. An X.25 host 71 communicates with the facility (validation error facility used to indicate to the 
switch 68. Outgoing call screening is performed at the 10 caller the reason a call was not forwarded to the desti- 
entries to the switch for X.25 from PAD 67 and host 71. nation) containing an appropriate message. If the pass* 
Another source switch 75 with an associated PC 76 on word change is not successful, the VER facility will 
which a VH for TAMS is located, is disposed in data contain an appropriate error message. In another tech- 
communicating relationship with a foreign PDN 78. An njque, the password is generated by TAMS and dis- 
asynchronous user 80 has access to the foreign PDN. 15 played to the user, after which the call is cleared with 

At a destination for calls to and from the PDN 62, a m appropriate message in the VER facility, 
destination (host) device 82 is associated with PAD 83 The sequence diagrams of FIGS. 4-6 illustrate the 
and destination switch 85. The switch is arranged to message flows for three types of validation: user ID 
communicate with an associated PC 87 having onboard validation (single-transaction), source address (address 
TAMS VH. An X.25 host (destination) 88 communi- 20 pair) validation, and interactive user ID validation (vali- 
cates with switch 85. Incoming call screening is per. ^on of a call request by interactive dialogue between 
formed at the entries to the switch for X.25 from PAD the VS and the user, available for asynchronous DTEs 
W and host 88. At another location! relative to the net- on | y)i Referring to FIG. 4, in single-transaction valida- 
work 62, a minicomputer (e.g., Prune computer) 92 ti on & information needed to validate a call is supplied 
aC ^ IDI ^fi! S the TAMS AH and ?. backu P VH 25 to the VH in the call request. The user ID, password, 

The TAMS system described earlier may be imple- and destination are entered by the user, and placed in 
raented to provide four major functions to the asyn- the call request by the PAD. For certain types of PADs 
chronous user, namely, user ID validation, address pair (nr 3 . 31)> t he information is entered in the form of a 
validation, address (mnemonic) validation, and pass- single-line sign-on connect request, as follows: 
word change. User ID validation compares the user- 30 

entered ID and password (and optional logical data) @<de$tinAtion>,<u*er id>, <p*ssword> 

against the user's record in the TAMS data base. If the 

user ID and password are valid, a further check may be Throughout, the notation:— < facility >— defines a fa- 
made to verify that the user may access the requested cility in the call request and clear request packets. For 
destination. The validation information may be present 35 other types of PADs (NR 3.52), the information is en- 
in call request facilities (single-transaction validation, in tered by the user in response to prompts by the PAD, 
which validation of a call request is based solely on the thusly: 
contents of the call request packet, which is responded USER ID? MITH/ 

to by the VS with a clear request rather than entering PASSWORD? (no echo when full duplex terminal 

data transfer state), or may be obtained interactively. 40 entry) 

The validation host (VH), which has the primary func- DESTINATION? STA/ 

tion of running the validation subsystem (VS) that vali- The PAD packages the user ID and password into a 
dates call requests, only interacts with asynchronous CUI facility-*PAD 3.31 (a calling user identification 
users. The interactive mechanism exists primarily to facility constituting a TAMS version of the network 
validate users entering a network across an X.25 of X.75 45 user identification (NUI) facility containing the user ID 
gateway; the calling device in this case might not sup- and password entered by the user at the PAD), or 
port the facilities required for single-transaction valida- NUI-*PAD 3.52, and places it in the call request. If a 
tion. mnemonic was entered as the destination, a mnemonic 

Address pair validation compares the calling address facility is built in the call request, and a zero-length 
against a list of valid addresses that may place calls to 50 called address is used. If a numeric address is entered, it 
the destination DTE. This mechanism is used for callers is used as the called address in the call request. The call 
which do not directly interact with the PAD at call request is then sent to the source switch, which recog- 
setup (e.g., autoconnect devices, HP AD, X780, and nizes the presence of TAMS facilities including CUI or 
X.25 hosts). These calls therefore have no user ID asso- NUI (and the mnemonic facility MN if a mnemonic 
dated with them. Outgoing call screening, a facility 55 destination is conveyed to the VS), In response, the 
which indicates that all calls from a particular DTE source switch forwards the call to a VH by substituting 
must be validated by the TAMS system, must be used the VH address as the called address in the call request, 
on the source DTE lines, to force the calls to be routed If a called address was present in the original call re- 
to the TAMS VH for validation. quest, it is placed in an address facility in the call request 

In the single-transaction validation scenario, TAMS 60 to the VH. 
provides a mnemonic addressing capability; the user On the VH, the VS validates the user ID and pass- 
may enter a mnemonic rather than a numeric destina- word, translates the mnemonic, if any, to a numeric 
tion. Calls with mnemonics are forwarded to a VH (X.121) address, and validates that the user may access 
which translates the mnemonic to an X.121 address, the desired destination. If access is not allowed, a clear 
performs any required call validation, and forwards the 65 request is built with a VER facility indicating the error 
call to the desired destination. Multiple X.121 addresses to the user. In that instance, the VER is received by the 
may be assigned to a particular mnemonic; TMAS will source switch in the clear request, from which it is 
distribute the calls across all the addresses. This capabil- passed on to the PAD, and the call is cleared down 
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On the other hand, if access is allowed, a clear request 
is built with several other facilities. These include a 
CFW facility (a call forward which instructs the source 
switch to redirect the call to a specified destination 
address), an ID facility (used to communicate a version 
of the user ID as billing information to the network or 
for other accounting purposes), and a SKY facility 
(which contains the security key needed to pass the 
screening at the destination switch). The CFW facility 
is received by the source switch, which sends a new call 
request to the specified destination, containing the ID 
and SKY facilities passed in the clear request. At the 
destination switch, the presence of the SKY facility 
allows the call to be passed through to the destination 
DTE. The latter is then permitted to accept the call and 
enter the data transfer state for a communication session 
with the user. 

Address pair validation, illustrated in FIG. 5, does 
not requires any special processing on the part of the 
source DTE, such as the PAD. In this scenario, an 
ordinary call request is sent to the source switch by the 
source DTE. If outgoing call screening is turned on for 
the source DTE in the switch tables, the call is for- 
warded to a VH for validation. Since, by definition, the 
caller/device in a source address (address pair) situation 
is not associated with a specific user ID (for example, an 
HPAD, X780, or autoconnect call), the call request will 
contain only an address facility including the originally 
called address. On the VH, the VS validates the source 
address against those which are allowed to call the 
specified destination. If access is denied, the call is 
cleared; the clear request would contain the VER facil- 
ity only if the protocol ID is asynchronous. If access is 
allowed, the call is forwarded to the called destination 
in the same manner as described above for single-tran- 
saction (user ID) validation. For an invalid call (access 
denied), the clear request will contain a clearing cause 
and a diagnostic code which are returned to the source 
DTE. In contrast, the cause and diagnostic in the clear 
request for a valid call are not seen by the source DTE 
because the call is forwarded. As in the single-transac- 
tion scenario, when the destination DTE is permitted to 
accept the call, it may then commence a communication 
session with the source DTE in which data are ex- 
changed. 

Referring now to FIG. 6, interactive validation pro- 
vides user ID validation to asynchronous terminals in 
those situations where the NUI or CUI facility cannot 
be supplied because of the nature of the call; for exam- 
ple, from a nonconforming PAD, or across a gateway. 
In this scenario, outgoing call screening on the source 
DTE (or gateway) line forces the call (which contains 
the destination X.121 address in the address facility) to 
be routed to a VH for validation. On recognizing that 
no user ID is present, the VH accepts the call and 
prompts the user for his user ID and password. Valida- 
tion proceeds as described above for the single-transac- 
tion situation. If the call is not valid, a clear request with 
VER facility is sent, and the source switch is typically 
configured to not pass this on to the source DTE. If the 
call is valid, a clear request containing CFW, ID, and 
SKY facilities is sent, to forward the call to the specified 
destination. Because the source DTE is already in the 
data transfer state, the source switch resets the virtual 
circuit back to the source DTE to realign the packet* 
level sequence numbers for the forwarded call. In this 
case, when the destination DTE accepts the call, no call 
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connected facility is sent to the source DTE, since the 
latter is in the data transfer state. 

Calls across a foreign gateway must be either asyn- 
chronous or X.25, which is determined by the call re- 

5 quest protocol ID or lack thereof. If the protocol ID is 
X'OV, the caller is assumed to support the standard 
CCITT X.3 parameter set and X.29 protocol, and the 
IAS ASCII character set. In that case, interactive vali- 
dation is used. If there is no protocol ID or user data, 

10 the caller is assumed to be an X.25 host, and address pair 
screening is used. In all other cases of calls across for- 
eign gateways, the call is rejected. 

The enhanced TAMS is utilized in a packet switching 
network to protect network resources from unautho- 

15 rized access. The system screens call requests before 
sending them to their destination, and bars unauthorized 
calls, by employing methods of user ID validation for 
end users and calling/called address pair validation for 
non-interactive devices. Users are required to change 

20 their passwords at periodic intervals, selectable by the 
system administrator, when notice is given by TAMS to 
the user that the password has expired. Terminal PADs 
utilized for making connections must obtain user ID, 
password, and destination address as part of the connec- 

25 tion sequence. The validation subsystem (VS) will sup- 
port only user-generated password changes, invoked by 
connecting to a special password change mnemonic 
which is recognized by the VS. The AH is notified in 
real-time of invalid access attempts as an alarm log. The 

30 TAMS host software is partitioned onto an AH, multi- 
ple VHs on respective PCs associated with the respec- 
tive source and destination switches, and a single 
backup VH, with data base updates automatically, 
transferred between AH and VH data bases, but not 

35 necessarily in real-time. 

In the preferred embodiment of the enhanced TAMS 
system shown in FIG. 3, the ITI-2 and Async*to-3270 
DSP-2 terminals PADs obtain user ID, password, and 
destination as part of the connection sequence. The 

40 former PAD prompts for these fields, while the latter 
PAD employs off-line menu processing. This informa- 
tion is used to build NUI and MN facilities in the call 
request. The "system password" (account code) is not 
used, and the PADs do not prompt for it, or display a 

45 field in the case of the Async-to-3270 PAD. The SNA 
3270 and BSC 3270 DSP-2 terminal PADs are en- 
hanced to build NUI and MN facilities based on infor- 
mation entred in the off-line (CONNECT) menu, rather 
than processing the ID and MN locally. Since the sys- 

50 tern password is not used, these PADs do not contain a 
field for it. The VS supports only user-generated pass- 
word changes. Such changes are invoked by "connect* 
ing" to a special Password Change mnemonic, which is 
recognized by the VS. The user may indicate the de- 

55 sired new password at the PAD password prompt. 
Notification of invalid access attempts are sent in real- 
time to the AH, and additional reporting capabilities are 
required for this "alarm log". 
The TAMS host software is partitioned onto an AH, 

60 multiple PC VHs, and a single centralized administra- 
tion and backup VH (e.g., the Prime minicomputer 92 
which provides both Administrative Subsystem (AS) 
and Validation Subsystem (VS) capabilities). Data base 
updates are automatically transferred between AH and 

65 VH data bases, rather than requiring operator interven- 
tion to transfer transaction files between the hosts and 
to apply the transaction files to the data bases, as in the 
existing system. However, the update system is not 
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required to operate in real-time. The user will be re- ther, provision may be made for automatically gener- 
quired to change its password at periodic intervals, the ated passwords rather than allowing the user to corn- 
frequency of which is a configurable, system-wide pa- pose its own password. 

rameter, selectable by the system administrator. The The AS software includes DB_MAINT, which is 

system notifies the user that the password has expired, 5 the primary' program used to administer the access am- 

and the user must then execute a change. nagement system data base. This program is used to 

The JTI-2 PAD, 3270 BSC DSP-2 PAD, 3270 SNA interactively query/modify the contents of a data base 
DSP-2 PAD, and Async-to -3270 DSP-2 PAD each (AH or VH). Interactive updates are written to a trans- 
supports the user interface. The user enters ID, pass- action log; another DB-MAINT function allows this 
word and destination using the off-line menu and this 10 log to be applied to a data base in "batch" mode. In the 
information is used to build the NUI and MN facilities single AH/muItiple VH environment, the transaction 
required for validation by the VH or VS. The VS inter- log is manually transported from the AH to each VH on 
faces to the PDN to validate calls forwarded by a a period basis (e.g., daily), and applied to the VH data 
packet switch to a VH. The AS provides the ability to base(s). The manual transportation is typically accom- 
build and update the system data base used by the VS. 15 plished via tape, or host (e.g., Prime mincomputer) file 
The system data base is implemented using the RAP- transfer. The batch update mechanism is also used in the 
PORT data base management system (DBMS), and PDN environment to apply transactions generated by 
consists of a number of interrelated files. management information systems (MIS) that have the 

The VS software consists of three major programs, responsibility of adding new users, hosts, and the like to 

namely. Validation Phantom, Operations Manager, and 20 their own systems. 

Intruder Alarm. The Validation Phantom receives vali- DB_ MAINT also produces a variety of reports, 

dation requests from the network and validates them either on-line or to a disk file. A "read-only** version of 

against the system data base. For example, for a single- DB— MAINT known as DB—QUERY provides only 

transaction validation where the user has entered a record query and report capabilities. RAPIDE query 

mnemonic, the user record is retrieved and the pass- 25 language is a fourth-generation language supplied by 

word validated. Then the mnemonic is translated to a RAPPORT for ad hoc reporting and other activities 

network address, and the corresponding network ad- against the data base, and, as with DB-MAINT, may 

dress record is retrieved. If the address is secured, ac- be used against any of the access management system 

cess by that user is validated by looking for a AH or VH data bases. In addition, utilities are provided 

User/Mnemonic record matching that user with the 30 to print/purge the Log File, freezelist a user, drain 

mnemonic. Finally, the allowable call types of both user password changes to transaction log for application to 

and host are validated against those received in the call the user record, and create/dump/load the data base, 

request (CUI or NUI facility). When the call has been An example of the TAMS data flow is shown in FIG. 

validated, the Validation Phantom clears the call with 7 Validation Phantom 50 of a VH 65 (on a particular 

the CFW, ID, and SKY facilities, to forward the call to 35 PC) receives a validation call 51 from the network and 

the proper destination. Invalid attempts by a known accesses the system data base 52 for validation. If the 

user are subject to a retry algorithm, which permits a call is validated, Validation Phantom 50 clears the call 

configurable number of invalid attempts within a speci- by means of building a clear request with CFW, ID, and 

fied time interval, after which a user is temporarily SKY facilities, thereby forwarding the call to the 

suspended for a predetermined period of time. During 40 proper destination. If the call is invalid (subject to the 

that period, all attempts by the user to access the net- predetermined number of retries, if appropriate, and the 

work are rejected. If the user is temporarily discon- predetermined number of invalid attempts within the 

nected a configurable number of times without success- selected time interval), the Intruder Alarm phantom 54 

ful validation, the user is permanently disconnected, is notified, under the control of Operations Manager 55. 

requiring administrator intervention to enable subse- 45 Depending upon the seriousness of the access infrac- 

quent access to the network. In the present embodi- tions, the Intruder Alarm phantom may route the appli- 

ment, each Validation Phantom can process only one cable alarms 56 to an alarm terminal 57, as well as to 

call at a time; multiple phantoms are run to support a write them to a log file on data base 52. As indicated 

multiplicity of simultaneous validations. However, a earlier, operations Manager 55 controls and monitors 

single Validation Phantom could be implemented to 50 the VS and permits the system operator to initiate and 

perform the latter function, if desired. terminate the validation and intruder alarm phantoms. 

The Operations Manager is utilized to control and At the AH 66 (on a minicomputer), the DB— MAINT 

monitor the VS. It allows the system operator to initiate program 60 interactively queries and modifies the con- 

and terminate the validation phantom, and the intruder tents of data base 61 of AH 66 or data base 52 of VH 65. 

alarm phantom to be described below. Various monitor 55 The interactive updates are written to transaction log 

displays are used to indicate the current status of the 62, the contents of which are applied through the batch 

VS. In the present embodiment, the program is used to mode function 63 of DB-MAINT to data base 52 of 

instruct the phantoms to switch the copy of the data VH 65. As noted above, in the embodiment in which a 

base they are using for the validations. single AH is utilized with a multiplicity of VHs (one 

The Intruder Alarm phantom receives notifications 60 associated with each PC), the files of transaction log 62 

of certain serious invalid access attempts, for example, are manually transferred periodically from AH 66 to the 

by freeze-listed or suspended users, and routes these data base of each VH (including 65). The TAMS Ad- 

alanns to a terminal and also writes them to the log file ministrator interacts with both the DB-MAINT pro- 

on the data base. RAPIDE query language may be used gram and the Operations Manager to perform their 

to produce ad hoc reports on this file, if desired. 65 respective tasks. 

In addition to the foregoing programs, a password The TAMS data flow in a preferred embodiment of 

change may be included as a VS process to interact with the present invention is illustrated in FIG. 8. An Alarm 

the asynchronous user to obtain a new password. Fur- and Log subsystem 70 replace the Intruder Alarm phan- 
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torn of the VS of FIG. 7, to provide centralized collec- received records and displays alarms on the alarm ter- 

tion t display, and analysis of alarms and log records. An minal 108; and RAPIDE 109 which produces various 

Update Distribution subsystem 71 provides automated reports from the log file 110. All system alarms and log 

collection and distribution of data base updates to and records are sent to the AH as a central site for logging, 

from AH 72 and VH 73, in place of the manual method 3 display t and reporting. Alarms and other log entries 

performed in the system of FIG. 7. continue to be generated by the Validation Phantoms. 

An exemplary Validation Subsystem is shown in An alarm is generated when a user has registered a 
FIG. 9. In the PC based VH of the present invention, configurable (preprogrammed) number of successive 
the Validation Host (VH) software may run under invalid log-in attempts within a preselected time inter- 
XEN1N on a Tandem 6AT computer with AST X.25 10 val, or when a user is permanently suspended, for exam- 
board. The TAMS data base is managed by a pie. The Alarm and Log Subsystem provides a subrou- 
BTRIEVE file management package B0, which pro- tine interface through which any subsystem may send 
vides most of the features of the RAPPORT DBMS. an alarm to the Alarm Mailer. To minimize the number 

The NUI (Network User Identification) facility is of active virtual circuits on the AH, the Alarm Mailer 

supported for single-transaction validation. The NUI 15 clears down the call to the AH after 8 predetermined 

facility is placed in the call request packet by the PAD period of inactivity. 

when the user enters its user ID and password. Pass- Unformatted alarms and Log entries are received at 

word changes are processed locally by the receiving the AH, written into the Log File, and may be sent to 

VH, and forwarded to the AH for distribution to the the Alarm Terminal. The Log File on the data base 

remaining VHs. In the VS, password change requests 20 contains the date/time of the entry, log code and mes- 

are sent to the VH as an NUI facility, with the Pass- sage type, and a text area containing destination/source 

word Change application mnemonic as the destination. addresses, user ID, and/or call types appropriate to the 

Both the old and the new password are contained in the type of error. These additional fields are formalized by 

NUI facility for a password change. If the old password defining them as individual fields to RAPPORT, which 

matches the current user password in the the TAMS 25 allows ad hoc reports to be created based on the fields, 

data base, the password is changed to the new pass- using RAPIDE query language. The sending VH is also 

word. In that case, the call is cleared with a VER facil- identified in the log record. The format and content of 

ity indicating the successful password change. The user reports created by RAPIDE from the LOG File is 

must then reenter the user ID, new password, and desti- determined by the TAMS Administrator, 

nation, and be revalidated. If the change was unsuccess- 30 The Update Distribution subsystem is shown in FIG. 

ful, because the old password is invalid, an appropriate 12. Updates are periodically accumulated on the AH 

message is sent to the user in the VER facility as the call from the VHs (password changes), and applied to the 

is cleared. Users from foreign PDNs are accommodated AH data bases 120. Such transactions, along with those 

in substantially the same manner, but through support in generated from normal administrative activities (i.e., 

the interactive validation dialogue. An interactive pass- 35 DB_ MAINT), are transferred from the AH to the 

word change is performed regardless of the specified VHs, where they arc used to update the VH data base 

destination address or mnemonic. 122. User-related records are partitioned onto the VHs 

The VH is capable of initiating all VS software auto- through which the user will access the network. The 

matically, including data base server, data base recover partitions are indicated by TAMS Administrator 125 

program, validation phantoms, update distribution 40 when adding a user, and are propagated to the user 

phantom, and alarm mailer phantom. These processes profiles. 

are run from the system startup file (XENIX or equiva- Each access management system supports a single 

lent). The ability to remotely log-on to XENIX is pro- data base, and consequently, password changes are 

vided for emergency use. instantly effective (locally) because no synchronization 

For valid calls, the following facilities are sent in the 45 between data bases is required. Also, a single data base 

clear request: call forward, indicating destination DTE; provides desirable operational simplicity, particularly 

security key, if the host is secure: ID, if a user ID was with a large number of VHs. A single transaction log 

entered; and charge override, if a user ID was entered containing all transactions applied to the data base is 

and no change type was specified in the reverse charge kept on each system, and is shared by all subsystems 

facility. 50 running on the host. For VHs, the transaction log is 

A typical Administrative Subsystem is shown in FIG. shared by all validation programs; while on the AH, the 

10. In support of the Update Distribution subsystem, transaction log is shared by the administrative software 

DB_M AINT 91 shares its transaction log with all other (DB_ MAINT) and the processes which apply transac- 

subsystems running on the AH. Transactions are logged dons collected from the VHs, as well as any validation 

in before they are actually applied to the data base 92. A 55 phantoms running on the AH. A transaction is logged 

RAPPORT data base management system 93 is utilized. before being committed to the data base, to ensure that 

To accommodate recovery from catastrophic failures, all concurrent transactions which depend on each other 

the data base is dumped periodically (e.g., nightly) to a are both logged and applied in the same order. This also 

transaction file, and the most recent dump is kept on- ensures that there are no updates applied to the data 

line. Relevant Update Distribution subsystem data 60 base which cannot be recovered from the transaction 

structures are also updated during the dump to indicate log. 

the current dump for use in VH recovery. This func- The sender process of the Update Distribution sub- 

tionality is mutually initiated by the TAMS Administra- system runs on both AH and VH. Based on time and 

tor 95. number of queued updates, it periodically sends accu- 

The Alarm and Log Subsystem is shown in FIG. 11, 65 mulated transactions to preselected other hosts. For 

and consists of three primary components: an alarm/log example, a VH sends transactions to the AH, and the 

mailer 106 which routes alarms and log records from AH sends transactions to all VHs. The sending is done 

the VH to the AH; an alarm logger 107 which logs the on a file basis, typically, the aforementioned transaction 
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log; (he unit or transfer/acknowledgment is an entire 
file. Transfer is not considered complete until the trans- 
actions have been applied to the receiver's data base. 
Recovery consists of resending the entire file. The re- 
ceiver process of the subsystem also runs on both AH 5 
and VH, collecting received transactions into a single 
pending transaction file. Periodically, the respective 
Transaction Application component 127 is invoked to 
apply the collected transactions to the AH data base. 
The applied transaction log is then sent to the VHs 10 
using the sender process. The Receiver receives a single 
file in its entirety before accepting another call and 
starting another transfer. The order or arrival of trans- 
actions at the AH is the order of application at the AH 
and at the VHs. The Sender and Receiver processes are 15 
decoupled from each other, in that receiving may take 
place simultaneously with sending. The only constraint 
is that the host may not distribute a partially received 
(and therefore unapplied) transaction Ale. 

The Transaction Application component applies a 20 
transaction file to the data base. It does not revalidate 
transactions, because validation is assumed to have been 
accomplished by the originator of the transaction. All 
transactions consist of additions, updates, or deletions of „ 
a single record. 

User related transactions are partitioned onto the 
specific VHs through which the user accesses the net- 
work. Other transactions are broadcast to all VHs. The 
TAMS Administrator indicates the partition when add- ^ 
ing a user, and the partition is mapped to one or more 
VHs. Conversion of the partition to VH addresses takes 
place in the Sender. The VH typically sends all transac- 
tions to a partition representing the AH. 

Retry record updates are not propagated from VH to 35 
AH, and, therefore, the DB— MAINT interactive ad- 
ministrative program cannot be used to resolve perma- 
nent suspension situations by deleting the user's retry 
record. A new utility is developed to prompt the admin- 
istrator for a user ID, build the appropriate update 40 
transaction, and write it to the transaction log. The 
Update Distribution subsystem delivers this transaction 
to the relevant VHs where the record will be deleted. 
The TAMS Administrator may initiate the transfer of 
an entire VH data base from the AH to the VH, the data 45 
base being transferred as a transaction file which was 
created during the periodic AH archiving activities. 
Following the distribution and application of this trans- 
action field, all transaction batches created thereafter 
are distributed to the recovering VH as part of the 50 
normal Sender function. 

While a presently preferred embodiment of the inven- 
tion has been described in detail herein, it will be appar- 
ent to those persons of ordinary skill in the field to 
which the invention pertains that variations and modifi- 55 
cations may be made without departing from the true 
spirit and scope of the invention. Accordingly, it is 
intended that the invention is to be limited only to the 
extent required by the following claims. 

What is claimed is: 60 

1. A system for managing access to data among users 
and host computers in a public data communications 
network applied to provide data communications paths 
between and among the users and the host computers 
via communication links and transmit nodes of the net- 65 
work, in which the nature and degree of access by or to 
each user and host computer is designated in advance 
by respective ones of the plurality of network custom- 
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ers who maintain the host computers and who allow 
authorized user access thereto, said system comprising 
a multiplicity of potential user stations, 
a multiplicity of host computers for compiling and 
furnishing data on request of users and other host 
computers, 

a multiplicity of switch means operatively associated 
with respective ones of said user stations and said 
host computers, and located at points of entry to 
said data communications paths of said network 
remote from said respective ones of said user sta- 
tions and said host computers, for establishing and 
disconnecting a communication path through the 
network between a user station and a host com- 
puter to which access is requested by said user 
station for a communication session therewith, and 

access management means operatively associated 
with each of said switch means for examining re- 
quests for establishing a data communications path 
through said network between a user station and a 
host computer received by the associated one of 
said switch means for validation of said requests 
and for granting and denying the respective re- 
quests by issuance of corresponding instruction 
signals to said switch means, according to the na- 
ture and degree of access designated by the respec- 
tive network customer. 

2. The access management system according to claim 
1, wherein requests for establishment of a data commu- 
nications path are generated from said user stations and 
host computers in the form of a digital signal containing 
information indicative of the authorization of the re- 
quester for the requested access. 

3. The access management system according to claim 
1, wherein said network is a packet switching network, 
said user stations have respective packet assemblers/- 
disassemblers operatively associated therewith, and said 
digital signals are generated in the form of packets con- 
taining information representative of the attributes of 
the user respecting nature and degree of authorization. 

4. The access management system according to claim 
1, wherein 

said access management means includes 
validation host computer means coupled to an asso- 
ciated one of said switch means for validating 
requests for access received thereby, 
administrative host computer means coupled to the 
validation host computer means for monitoring 
the respective requests, and 
relational database means associated with said vali- 
dation host computer means and said administra- 
tive host computer means for storing information 
regarding authorized users, user attributes in- 
cluding identification data and passwords, and 
destination addresses to which users shall have 
access. 

5. The access management system according to claim 
1, wherein 

each of said switch means includes memory means for 
controlling priority of requested access by the asso- 
ciated ones of said user stations and host comput- 
ers, and means for transmitting and receiving data 
to and from said access management means. 

6. The access management system according to claim 
4, wherein 

said administrative host computer means in 1 eludes 
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means for recording invalid attempts at obtaining 
access to a destination address via the switch 
means associated with the requester, and 
said validation host computer means includes 

means for commanding the respective switch 5 
means to disconnect the requester after a prede- 
termined number of successive invalid attempts 
at across to that destination address by that re- 
quester. 

7. A method for upgrading security in a public data 10 
communications network to assure that the dictates of 
each network customer are followed with respect to 
accessibility by network users via terminals to host 
computers maintained by the respective network cus- 
tomer, said method comprising 15 

installing at points of entry to data communications 
links of said network a plurality of switch means 
for operative association with respective user ter- 
minals and host computers but physically remote 
therefrom, to establish connection and disconnect 20 
tion of data communications link through the net* 
work among user terminals and host computers on 
demand by authorized users, 

installing in association with said network an access 2J 
management host computer and relational database 
designating authorized users and their attributes 
and destination addresses to which the various 
users are authorized access based on said dictates of 
the network customers, for analyzing requests for ^ 
access among said users and host computers and 
issuing instructions respecting establishment of 
connections and disconnections to the respective 
switch means based on information contained in 
said relational database, and 35 

providing a data link between said access manage- 
ment host computer and each of said switch means 
for communication of access requests and respon- 
sive instructions therebetween. 

8. In a security access management system for a 40 
packet switched data communications network adapted 

to selectively provide transmission paths for communi- 
cation sessions between a multiplicity of data terminal 
equipments (DTEs) located outside the network via 
communication links and transit nodes within the net- 45 
work through a plurality of packet switches each lo- 
cated at a respective one of a plurality of entry points to 
the network and associated with one or more of the 
DTEs for routing packets therefrom and thereto at that 
entry point, according to the destination DTE address 50 
and source DTE authorization information contained 
within the packets assembled for transmission from a 
source DTE, and wherein the extent of access between 
and among a group of the DTEs associated with a par* 
ticular customer of the network is mandated by that 55 
customer such that different DTEs within the same 
group may be authorized for different levels of access to 
destinations within the group, the improvement com- 
prising: 

60 
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plural access management means each respectively 
operatively associated with a packet switch at an 
entry point of the network, each access manage- 
ment means including: 

administrative means for examining source DTE 
authorization information contained within 
packets received at the associated packet switch 
for transmission through the network to destina- 
tion addresses for the packets, 

database means maintained by the administrative 
means for storing information relating to pre* 
assigned levels of authorization of the source 
DTEs using the respective entry point of the 
network for access to specified destinations, and 

validation means responsive to comparison of the 
DTE source authorization information con- 
tained in a packet under examination by the ad- 
ministrative means to the pre-assigned level of 
authorization for that source DTE for granting 
or denying access thereby through the associated 
packet switch to the destination address with 
which a communication session is requested. 

9. The improvement of claim 8, wherein 

the validation means includes means for instructing 
the associated packet switch by validation signals 
to permit or prevent passage of packets there- 
through from the source DTE to the destination 
address with which the communication session is 
requested, according to the determination of grant 
or denial of access. 

10. The improvement of claim 9, wherein 

the pre-assigned levels of authorization of the source 
DTEs within the information stored by the data- 
base means includes authorization for at least one 
source DTE using the respective entry point to 
have access to a specified destination address for 
multiple communications sessions therewith, and 
for at least some of the other source DTEs using 
that same entry point to the network to have access 
for only a single communication session with the 
specified destination address. 

11. The improvement of claim 10, wherein 

the packet switch is responsive to validation signals 
from the associated validation means indicative of a 
source DTE authorized for multiple communica- 
tion session access to the requested destination 
address, to inhibit subsequent examination of 
source DTE authorization information contained 
within packets received from that source DTE at 
the packet switch for trarismission through the 
network to that destination address for at least a 
predetermined interval of time following receipt of 
such validation signals. 

12. The improvement of claim 9, wherein 

each access management means is physically located 
remote from the source DTEs which use the re- 
spective entry point to the network of its associated 
packet switch. 



65 
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